<P><FONT SIZE=2>Logically, I would think that it is possible. The real question is, would it do what you have in mind? I'm not up on the rules language, but there is a flex-resp action for it: icmp_host (for destination host unreachable, anyway). The rule could be triggered by ICMP requests of the proper type. The catch is, though, that that same ICMP request would in fact breeze right by the IDS unmolested. The end result is most likely two answers for the same request. Maybe you could 'patch' this up by blocking the normal answers via firewall rules. You could block all ICMP answers from everything but the IDS... That might work. Bear in mind, this is all still fuzzy logic. I have tested none of this.</FONT></P>